A vpn (that you trust) would certainly help a little, but in the above case the connection can still be mitmed from the vpn server to the application backend

Edit: I would for my personal devices, unless I knew the app did something horrendous in advance- but I guess the core problem is you really have no way of knowing unless you check the app yourself or there is a known and reported vulnerability.

I wouldn't, especially not having looked at the VPN at first. It might expose you to even more attackers than could fit in your Starbucks

VPNs have a bad reputation, but I trust Mullvad (have used and paid them often), and Proton (currently paying them).

I trust Mullvad more than others, because IIRC they were one of the few that actually had RAM only infrastructure when they were audited